• Home
  • About
  • Subscribe
  • LATIF
  • Conferences
  • Dashboard
  • Edit My Profile
  • Log In
  • Logout
  • Register
  • Edit this post

Room 151

  • 151 BRIEF

    What's New?

  • Social care workforce crisis ‘requires government intervention’

    August 15, 2022

  • Consultation opens on future of IFRS 9 statutory override

    August 12, 2022

  • EAPF criticised for water company investments

    August 10, 2022

  • Welsh pension fund confirms £50m investment in clean energy

    August 10, 2022

  • Inflation ‘disastrous’ for local services, warns LGA

    August 10, 2022

  • Consultation opens into care charging reforms

    August 9, 2022

  • Treasury
  • Technical
  • Funding
  • Resources
  • LGPS
  • Development
  • 151 News
  • Blogs
    • David Green
    • Agent 151
    • Dan Bates
    • Richard Harbord
    • Stephen Sheen
    • James Bevan
    • Steve Bishop
    • Cllr John Clancy
    • David Crum
    • Graham Liddell
    • Ian O’Donnell
    • Jackie Shute
  • Interviews
  • Briefs

Data Protection: New regulation is on the way, are you ready?

0
  • by Guest
  • in Blogs · LGPS
  • — 12 Dec, 2017

Photo: Geralt/Pixabay, CC0

Stringent new rules for the management of data are on the way with implications for LGPS. Kirsty Bartlett explains the key stages for achieving compliance.

On 25 May 2018 the General Data Protection Regulations (GDPR) will come into force across the European Union. This represents a significant challenge to LGPS administering authorities: there is a lot to do from a pension perspective to demonstrate compliance with the new laws.

The underlying concepts of GDPR will be familiar from existing UK legislation (the Data Protection Act 1998), but some of the detailed requirements are tougher and the process for demonstrating compliance will change. The risks of getting it wrong are significantly greater – the maximum fine will increase from £500,000 to €20m (or 4% of global turnover if higher, although it’s not clear how this would apply to an administering authority).

Stage 1: Data mapping
Administering authorities are data controllers of the information they collect in order to pay pension benefits. Under GDPR data controllers must on request provide the Information Commissioner’s Office (ICO) with a written record of personal data they hold, the legal basis for doing so, how it is processed and safeguarded and how long it is held for.

This data map must cover administering authorities and any data processors. In practice, it is recommended that any other data controllers with whom administering authorities share personal data (e.g. scheme employers) are included in the data mapping process: the reputational risk of a data breach concerning LGPS data will inevitably spread to administering authorities even if they are not at fault.

Data mapping is the gateway to GDPR compliance: the remaining stages all flow from understanding how personal data is currently processed. It is a complex process that will inevitably require input from a number of third parties; administering authorities need to contact any third party administrator, their actuary, auditor, legal adviser, occupational health provider, AVC providers, etc. It is not uncommon for funds to involve a dozen, or more, data processors in their data map. And that’s before considering several hundred participating employers.

The key message is to start your data mapping now if it is not already underway. Asking data processors to complete a standard questionnaire can help to manage the process more efficiently and provide responses in a common format to ease analysis and further due diligence. Your legal adviser should be able to assist.

Stage 2: Updating processes

Once the data map is complete, administering authorities should consider if their current processes are adequate. GDPR is an opportunity to keep pace with best practice not just a form-filling exercise. Risk registers and policies should be reviewed and updated where necessary.

As a minimum, administering authorities should have a breach response plan to enable them to report serious breaches of GDPR to the ICO within the maximum 72 hour period; they should also have a process to comply with the new shorter timescales for dealing with subject access requests.

Public authorities are required to appoint a data protection officer and administering authorities are likely to have a wider GDPR compliance plan that will need to involve those responsible for LGPS funds. However, having a data protection champion within the LGPS team could be a useful practical step. The personal data held for LGPS fund purposes is necessarily a high risk area for administering authorities: it is exactly the type of data attractive to fraudsters and it is necessarily held for an extremely long time.

Stage 3: Reviewing contracts

All contracts with third party data processors will need to be reviewed and updated before May 2018. The requirements for contracts to comply with GDPR are more stringent than under current UK law and data processors will have direct legal obligations and liabilities. Some data processors may look to pass all, or some, of those liabilities back to data controllers under their contracts.

At least one large consultancy has already written to all clients looking to impose a standard GDPR contract amendment by notice: those who don’t object will be deemed to have accepted the new wording. Administering authorities will need to review any wording put to them, or require data processors to accept the fund’s own standard contract amendments.

Stage 4: Communications with members

All LGPS fund members should be issued with an updated privacy notice before May 2018, informing them what personal data is held, how it is processed and how long it will be held for. GDPR is more prescriptive, so current notices are unlikely to comply. GDPR also requires privacy notices to be easy to understand, which represents a real challenge given the mandatory content.

The good news is that administering authorities will not need to seek individual member consent to collect and process personal data for their LGPS funds. Obtaining consent under GDPR is a more difficult process and it must be capable of being withdrawn at any time. Instead, administering authorities can rely on their legal obligation to comply with the LGPS Regulations as the basis for which they collect and process personal data.

Some circumstances will require special consideration. Personal data relating to health or sexual orientation come with a higher standard of protection, so communications dealing with ill health pensions and survivor benefits need to be revisited. Administering authorities may decide it is impractical to issue a privacy notice to every potential dependant included on an expression of wish form, but they could tell members to inform their nominees that personal data has been provided to the LGPS fund.

GDPR is unlikely to change fundamentally how administering authorities process personal data, but there is a lot of legwork needed between now and May 2018 to demonstrate compliance. Brexit is no silver bullet: the Data Protection Bill currently going through Parliament will enshrine GDPR into UK law. Authorities needing additional resource can contact the LGPS Frameworks to engage an appropriate third party adviser.

The world will not stop turning on 25 May 2018 but, if you do have a data breach, the ICO will be more sympathetic if administering authorities have taken significant steps towards GDPR compliance before then.

Kirsty Bartlett

Kirsty Bartlett is a partner
at Squire Patton Boggs (UK) LLP.

Share

You may also like...

  • Budget 2021: A missed opportunity while bidding could prove a strain 5th Mar, 2021
  • A property fire sale triggered by Prudential Code could ‘shatter’ confidence in local economies 7th Dec, 2021
  • Stephen Fitzgerald: “Fast cash” may provide the answer to critical budget challenges 24th Feb, 2021
  • How best to respond to local audit delays? 7th Feb, 2022

Leave a Reply Cancel reply

You must be logged in to post a comment.

  • 151 BRIEFS – WHAT’s NEW?

    • Social care workforce crisis ‘requires government intervention’
    • Consultation opens on future of IFRS 9 statutory override
    • EAPF criticised for water company investments
    • Welsh pension fund confirms £50m investment in clean energy
    • Inflation ‘disastrous’ for local services, warns LGA
  • Room151’s LGPS Roundtables

    Biodiversity
    Valuations & Risk
    LGPS Women

  • Room151’s LGPS Roundtables

    Biodiversity
    LGPS Women
    Valuations & Risk
  • Latest tweets

    Room151 4 days ago

    LATIF/FDs’ Summit ‘on course to be biggest yet’: Room151’s flagship event – the Local Authority Treasurers Investment Forum (LATIF) and FDs’ Summit – is on course to be the biggest yet, with more than 200 delegates expected. Combining[...] dlvr.it/SWSDrL pic.twitter.com/f8FXzcAdWB

    Room151 4 days ago

    ‘Local government treated worse than any other part of public sector’: Clive Betts, chair of the Levelling Up, Housing and Communities Committee, talks to Mike Thatcher about lack of progress on levelling up, pork-barrel politics and why local government… dlvr.it/SWRk1L pic.twitter.com/Jpw0BsOsy3

    Room151 5 days ago

    Which LGPS pools and funds are attending the LGPS Investment Forum on Nov 2 & the LGPS Private Markets Forum on Nov 1st? Answer here: lnkd.in/eDHU8tuy pic.twitter.com/D3gd63Rh7F

    Room151 6 days ago

    LGPS and levelling up: nothing to fear but fear itself: There have been a number of objections to government plans for LGPS funds to invest 5% of their assets in local projects. But George Graham says these objections can be[...] dlvr.it/SWL7vt pic.twitter.com/ebwBEkZTy4

    Room151 6 days ago

    George Graham @SYpensions @bordertocoast channels his inner FDR in a call for local government pension funds to avoid the fear factor and embrace levelling up #LGPS #localgov room151.co.uk/local-governme…

    Room151 1 week ago

    Changes to rules on capital receipts raise wider questions: Stephen Kitching argues that DLUHC’s latest rule changes are part of a series following on from revisions to MRP guidance and the purchase of commercial property. He questions whether… dlvr.it/SWGqKC pic.twitter.com/Ycr5hWZDPk

    Room151 1 week ago

    ‘No ifs, no buts’: the Bank of England continues its battle with inflation: Partner Content: CCLA Investment Management’s Robert Evans discusses the MPC’s 0.5% increase in the Official Bank Rate and its ongoing commitment to the 2% inflation target… dlvr.it/SW7SNC pic.twitter.com/ryOzYRSNA9

    Room151 2 weeks ago

    DLUHC changes rules on flexible use of capital receipts: The levelling up secretary has written to all council leaders to amend the rules concerning the flexible use of capital receipts to fund transformation projects. In his letter, Greg Clark[...] dlvr.it/SW3jyX pic.twitter.com/KEhSSaMITl

    Room151 2 weeks ago

    Local audit and financial reporting: let’s take back control: Mazars’ Suresh Patel suggests three steps that auditors and council finance teams should take to help get financial reporting and local audit back on track. Following my recent appearance… dlvr.it/SW0PfV pic.twitter.com/miL7pjukce

  • Register to become a Room151 user

  • Previous story Greenpiece: The birth of green bonds
  • Next story Q&A: Jason Fletcher of LGPS Central on understanding investment management costs

© Copyright 2022 Room 151. Typegrid Theme by WPBandit.

0 shares